1

(0 ответов, оставленных в FreeBSD & BSD)

Задача первоначальная просто ограничить человека.

FreeBSD 8.0
Firewall - PF

age0 - локальная сеть
ng0 - интерфейс от mpd (при подключении pppoe создается)

user1 - которого надо ограничить


# Interfaces
int_if="age0"
ext_if_ttk="ng0"
icmp_types="{ echoreq, unreach}"
# Lan
table <user1> {192.168.0.2}
table <trusted_lan> { 192.168.0.0/24 }
non_route_nets_inet="{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }"
localnet="127.0.0.0/8"
my_ports="{ 20,21,22,25,47,110,80,1723,5222,8010,9090,9091,8100,9100 }"
# Global options
set block-policy return
set skip on lo0
set skip on $int_if
set timeout { frag 10, tcp.established 3600 }
scrub on ng0 all no-df max-mss 1400
scrub on age0 all no-df max-mss 1400
# ALTQ
altq on $int_if cbq bandwidth 100Mb queue { inet_in, default_in }
queue inet_in bandwidth 1Mb{ quser1_in }
queue quser1_in bandwidth 10% cbq( red, borrow )
queue default_in bandwidth 99% cbq( default )
altq on $ext_if_ttk cbq bandwidth 100Mb queue { inet_out, default_out }
queue inet_out bandwidth 1Mb{ quser1_out }
queue quser1_out bandwidth 10% cbq( red, borrow )
queue default_out bandwidth 99% cbq( default )
# Port forwarding & NAT
nat on $ext_if_ttk from <trusted_lan> to !<trusted_lan> -> ($ext_if_ttk)
# Filter options
block all
antispoof log quick for $ext_if_ttk
block drop in log quick on $ext_if_ttk from $non_route_nets_inet to any
pass proto 47 all keep state
pass out on $ext_if_ttk from $ext_if_ttk to any keep state
#####
pass in on $int_if from <user1> to !<trusted_lan> queue quser1_out no state
pass out on $int_if from !<trusted_lan> to <user1> queue quser1_in no state
#####
pass log inet proto icmp all icmp-type $icmp_types

используя pfctl -sq -vv я так и ничего не вижу. Пакеты не дропаются.. скорость не режется.
Может где ошибка? Что то не то делаю?